package com.kzw.config;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

import com.kzw.misc.jwt.handler.CustomAccessDeniedHandler;
import com.kzw.misc.jwt.handler.CustomLogoutSuccessHandler;
import com.kzw.oa.system.service.AppUserDetailsService;

/**
 * 安全控制中心
 */	
@SuppressWarnings("deprecation")
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
	
	@Bean
	public static PasswordEncoder passwordEncoder() {
	  return NoOpPasswordEncoder.getInstance();
	}
	
	/**
     * 需要放行的URL
     */
    private static final String[] AUTH_WHITELIST = {
    		"/*.txt",
            "/js/**",
            "/css/**",
            "/fonts/**",
            "/images/**",
            "/upload/**",
            "/ueditor/**",
            "/layuiadmin/**",
            "/blog",
            "/blog/index",
            "/static/**",
            "/file/download",
            
            
            "/api2/**",
            "/api/**",
			"/h5/**",
			"/login",
			"/ui/login",
			"/favicon.ico"
    };

    @Autowired
    private CustomAccessDeniedHandler customAccessDeniedHandler;
    
    @Autowired
    private CustomLogoutSuccessHandler customLogoutSuccessHandler;
    
	private UserDetailsService userDetailsService;
	
	public WebSecurityConfig(AppUserDetailsService userDetailsService) {
		this.userDetailsService = userDetailsService;
	}

	/**
	 * 该方法是登录的时候会进入
	 * */
	@Override
	protected void configure(AuthenticationManagerBuilder auth) throws Exception {
		auth.userDetailsService(this.userDetailsService);
	}

	/**
	 * 设置 HTTP 验证规则
	 * @param http
	 * @throws Exception
	 */
	@Override
	protected void configure(HttpSecurity http) throws Exception {
		http.cors().and().csrf().disable().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
				.and().authorizeRequests().antMatchers(AUTH_WHITELIST).permitAll()
				.anyRequest().authenticated() // 所有请求需要身份认证
				.and().formLogin().loginPage("/ui/login").failureUrl("/ui/login?error")
				.and().exceptionHandling().accessDeniedHandler(customAccessDeniedHandler) // 自定义访问失败处理器
				.and().headers().frameOptions().disable().and()
				.logout() // 默认注销行为为logout，可以通过下面的方式来修改
				.logoutUrl("/logout").logoutSuccessUrl("/ui/login")// 设置注销成功后跳转页面，默认是跳转到登录页面;
				.logoutSuccessHandler(customLogoutSuccessHandler)
				.permitAll();
	}
	
	@Bean
	public AuthenticationManager authManager() throws Exception {
		return authenticationManager();
	}

}
